b'                                                               CAPITAL REGION                                            Q002\n\'.      01/29/08          15:22 FAX 301 903 4656\n\n\n     DOE F 1325.8\n\n     (s.93 25                                                                                Department of Energy\n     United States Government\n\n\n     Memorandum\n                DATE:      January 28, 2008\n\n          REPLY TO                                                                    Audit Report No.: OAS-L-08-04\n           ATTN OF:        IG-34 (A07TG029)\n                                                                  of the Strategic: Integrated Procurement\n          SUBJECT:         Report on "Department\'s Implementation\n                           Enterprise System - Security Planning\'\n\n                    TO:    Chief Financial Officer, CF-1\n\n                           INTRODUCTION AND OBJECTIVE\n\n                                                                              Department\'sImplementation of the\n                            On November 28, 2007, we issued a report onSystem        - Overall Project Planning\n                            Strategic integratedProcurementEnterprise\n                            (OAS-L-08-02). This was the second       in a series of reports to address the Department\n                                                                                             Enterprise System\n                            of Energy\'s (Department) Strategic Integrated Procurement\n                                                                                ongoing efforts in the areas of\n                            (STRIPES) initiative and to determine whether\n                                                                                           planning; and security were\n                             transition planning, interfaces, and testing; overall project\n                                                                                         requirements, goals, and\n                             satisfying Federal and Department system development\n                             mission needs.\n                                                                                             planning for STRIPES\n                             In our most recent report, we observed that overall project         requirements, goals, and\n                                                                        system   development\n                             largely satisfied Federal and Department\n                                                                                           to improve the planning and\n                             mission needs. However, we noted several opportunities\n                                                                                                we suggested that\n                             implementation processes. To improve project management        a critical path for project\n                              management consolidate project documentation, approve action to ensure that all\n                                                                                 and take\n                              execution, provide detail on duplicative systems\n                                                                           as practicable. Management concurred\n                              duplicative systems are terminated as soon\n                                                                                            issues discussed in our\n                              with our suggestions and agreed to take action to resolve        focuses on whether\n                                                                        final in  the series,\n                              second report. This report, the third and\n                                                                                          and Department system\n                              ongoing security planning efforts are satisfying Federal\n                                                                               needs.\n                              development requirements, goals, and mission\n\n                              CONCLUSION AND OBSERVATIONS\n                                                                               for the most part, security planning  for\n                              Consistent with our last report, we noted that,system  development   requirements,   goals\n                              STRIPES satisfied Federal and Department                      and accreditation process of\n                              and mission needs. For instance, the formal certification\n                                                                                        in place and if complied with,\n                              the system had begun. Physical safeguards were also\n                                                                                                                 of\n                              should be sufficient for controlling access to the system. Plans for continuity\n                                                                           developed for the system. An alternate\n                              operations and disaster recovery have beenservices and restarting operations in event\n                                                                                                                       of\n                              processing facility exists for recovering\n\x0c01/29/08   15:22 FAX 301 903 4656               CAPITAL REGION                                          Z]003\n\n\n\n\n                                                             Automated controls that separate user\n           an emergency, service disruption, or disaster.place in the system and should help ensure\n                                                       in\n           responsibilities based on job function are\n                                         information that resides within. However, our review\n           its integrity and that of the                      security planning process.\n                                                        the\n            identified several opportunities to improve\n                                             Vulnerability Scanning\n                                                                                             that\n                                                    for performing scans for vulnerabilities\n            No provision exists in STRIPES planning\n                                                        Application Hosting Environment\n            hosted and managed within the Department\'s                               Office of\n            (AHE), which is an enterprisehosting environment run by the Department\'s\n                                                      manages network security and provides\n            Chief Information Officer (OCIO). The AHE                business applications.\n                                                      variety of Department\n            the necessary infrastructure to support a\n             According to the STRIPES security plan, scans for vulrnerabilities are a common\n                                                          the OCIO. An OCIO official told us that\n             security control under the responsibility of\n             broad-based scans of the Department\'s network for vulnerabilities are performed\n                                                               potentially affecting the network are\n             monthly or when significant new vulnerabilities       that while application system\n             identified and reported. The official also indicated\n                                                                are not currently part of the service\n             specific scans could be provided if desired, they\n                                                      be valuable for identifying application\n             agreement for STRIPES. Such scans can                              or policy. For\n                             determining the effectiveness of security controls\n             specific risk and\n                                                               enforcement of the 90 day password\n             instance, a periodic scan could be used to assess\n                                                     system.\n              change requirement established for the\n                                                 Encryption of Data\n\n                                                                       transfer and storage of sensitive\n              Officials also need to assess the risk that unencrypted\n                                                                              access. For risk and\n              STRIPES data could result in compromise by unauthorized sensitivity rating and will\n                                                               information\n              protection purposes, STRIPES has a moderate\n                                                                     and privacy information.\n              include unclassified controlled nuclear information\n                                                                 STRIPES, data or information is\n              According to an AHE representative supporting\n                                                                    se:rver and database server.\n              encrypted intransmission between the application\n                                                                    when transmitted between the\n              However, this data or information is not encrypted\n                                                                           up to media or tape. It is also\n               database server, file storage network, and where backed\n                                                     database server in memory, the storage    network,\n               not encrypted when residing on the                     therefore, could  be vulnerable  to\n               and backup media or tape. The data or information,     storage media, or loss of  backup\n               unauthorized access or download from the server or\n                                                                               told us that an encryption\n               tapes to the offsite storage location. The representative also\n                                                                      ihe database server and storage\n                product could be installed by the OCIO that covers\n                                                              that the: OCIO was in the process of\n                network. The AHE representative indicated\n                starting to encrypt data or information stored on tapes.\n                                                     Access Controls\n\n                                                                                                 for\n                While a policy had been developed that largely addresses the controls necessary\n                                                                                      we noted  that\n                managing access to the system, it needed to be updated. Specifically,         for\n                                                    the method for enforcing the requirement\n                 the policy did not accurately reflect\n\n                                                     2\n\x0c01/29/08   15:23 FAX 301 903 4656               CAPITAL REGION                                              ]004\n\n\n\n\n                                                                                             out of\n                                                  In addition, it did not address the timing\n           changing passwords every 90 days.\n                                                             password requirements for officials\n           sessions after a period of inactivity, additional\n                                                    of system owner and approvers in the semi- a\n           with approving authority, and the role              with the objectives of the policy,\n            annual user account review process. Consistent\n                                                             to guarantee the integrity of\n            reliable and error-free methodology is essential\n            information contained in STRIPES.\n                                                                 authentication - a critical security\n            Contrary to Department requirements, two-factor\n                                                                  accounts with privileged access.\n            control - had not been implemented for STRIPES\n                                                                    requires implementing a\n            The Department\'s password management guidance\n                                                                            accounts with special\n            mandatory two-factor authentication process for access to\n                                                                                         configuration,\n                                                        In our testing cf access controlholder,\n            privileges (e.g., system administrators).             a  privileged account         utilized\n            we noted that the STRIPES system administrator,           to access the system.\n             one-factor authentication (i.e., user id and password)\n\n             POTENTIAL IMPACTS\n                                                              in requesting the audit was to identify\n             One of the major objectives of project officials                       statements. Our\n             any STRIPES risks or issues that could impact the aud\'tt of financial has  not identified\n                                                              system  development\n             work up to this point to evaluate the STRIPES\n                                                               audits of the Department\'s financial\n             any potential issues which would impact future\n                                                                           planning could, however,\n             statements. The issues discussed above related to security and the information that\n                                                                operalions\n             potentially impact the security risk to STRIPES\n             will ultimately be contained within it.\n\n              SUGGESTED ACTIONS\n                                                                    measures, we suggest that the\n              To help ensure incorporation of sufficient protective\n                                                                    management team to:\n              Chief Financial Officer direct the STRIPES project\n                                                                                  for performing\n                   1. Incorporate in the agreement with the OCIO provisions system or application\n                                                                  specific to the\n                      periodic scans for vulnerabilities that are\n                       on which STRIPES is based;\n                                                                    to reflect the actual controls and to\n                   2. Update the STRIPES access control policy\n                       clarify responsibilities for reviewing access;\n                                                                   for accessing STRIPES\n                   3. Implement a two-factor authentication method\n                      accounts with special privileges; and,\n                                                                    that the OCIO take actions to\n                    4. Assess the risk and recommend, if necessary,             while residing in\n                       encrypt STRIPES data or information when transmitted,\n                                                                           location.\n                       memory and when in storage onsite or at the offsite\n\n\n\n\n                                                     3\n\x0c01/29/08   15:23 FAX 301 903 4656               CAPITAL REGION                                           [61005\n\n\n\n\n            MANAGEMENT REACTION\n                                                                                              for\n                                                    AHE to determine if tools are available\n            Management agreed to work with the                                                    on\n                                                       are specific to the system or application\n            performing scans for vulnerabilities that\n                                                            to review acd update the access control\n            which STRIPES is based. Also, they agreed\n            policy and to research the feasibility of implementing    a two-factor authentication the\n                                                      vendor.  In addition, they agreed to assess\n            method with the STRIPES application STRIPES data if determined to be required\n            risk and work with the OCIO to encrypt\n             and feasible.\n\n                       formal recommendations     are being  made in this report, a formal response is\n             Since no\n                                                             of your staff during this phase of the\n             not required. We appreciate the cooperation\n             audit.\n\n\n\n\n                                                  Rickey R. Hass\n                                                  Assistant Inspector General\n                                                    for Environment, Science, and Corporate Audits\n                                                  Office of Inspector General\n\n              Attachment\n\n              cc:     Director, Office of Management, MA-1\n                      Chief Information Officer, IM-1\n                      Chief of Staff\n                      Team Leader, Audit Liaison, CF-1.2\n                      Audit Liaison, IM-10\n                      Audit Liaison, MA-40\n\n\n\n\n                                                      4\n\x0c01/29/08   15:23 FAX 301 903 4656                CAPITAL REGION                                         @006\n\n\n\n                                                                                        Attachment\n\n\n                                       SCOPE AND METHODOLOGY\n\n\n            SCOPE AND METHODOLOGY\n                                                                              of the Strategic\n            Fieldwork for Department of Energy\'s (Department) Implementation\n                                                                - Security Planning was\n            Integrated Procurement Enterprise System (STRIPES)\n                                                          at Department Headquarters in\n            performed between July 2007 and January 2008              we:\n            Germantown, Maryland. To accomplish the audit objective,\n                                                                                       to\n                      SReviewed applicable laws, regulations, and guidance pertaining        and\n                                                                                information\n                       information technology; financial management systems;                also\n                                                                                      We\n                       system security; and system development and implementation. General;  Office\n                       reviewed relevant reports issued by the Office of Inspector\n                                                                                            Office;\n                       of Cyber Security Evaluations; and the Government Accountability\n                                                                                          and\n                  * Reviewed the Government Performance and Results Act of 1993\n                                                                            for STRIPES;\n                    determined if performance measures had been established\n                                                                                       obtained and\n                  *     Held discussions with Department officials and personnel and\n                        reviewed relevant documentation relating to development and\n                                                                                            security;\n                        implementation, particularly in the area of information and system\n                         and,\n\n                   *     Assessed the effectiveness of controls being implemented for ensuring\n                                                                               resources from\n                         integrity of information and safeguarding information\n                         unauthorized sources.\n                                                                                                auditing\n              The audit was performed in accordance with generally accepted Government    and\n                                                                                controls\n              standards for performance audits and included tests of internal\n                                                            extent necessary  to satisfy the audit\n              compliance with laws and regulations to the                          and performance\n                                                                         controls\n              objective. Accordingly; we assessed significant internal          of 1993 regarding\n              measures under the Government Performanceand Rerults Act\n                                                                           measures, objectives and\n              implementation of STRIPES and found that performance\n                                                                         effort. Because our review\n               goals did exist relating to the STRIPES implementation internal control deficiencies\n               was limited, it would not necessarily have disclosed all\n                                                                            rely on computer-processed\n               that may have existed at the time of our audit. We did not\n                                                            discussed  the contents  of this report with\n               data to accomplish our audit objective. We\n                                                                                 14, 2008.\n                an Office of Chief Financial Officer representative on January\n\n\n\n\n                                                     5\n\x0c'